Article by San Diego Attorney Ethan Watts on Selling Cookie Collected Consumer Data In Bankruptcy: A Dot-Com Dilemma

Selling Cookie Collected Consumer Data In Bankruptcy: A Dot-Com Dilemma


By Ethan Watts


Many consider the Internet to be the most important invention of the 20th century in the realm of telecommunications and computing.1 Although at the most fundamental level the Internet is simply a network of computers, it has grown to become an important part of millions of people’s lives.2 Today this global computer network is a virtually limitless source of information for those who have access to it, and provides its users with conveniences such as email, instant messaging, and online purchasing. This powerful and increasingly omnipresent tool has made life easier for Internet users all over the globe.

The Internet did not begin as the user-friendly global computer network it is today. The Internet had modest beginnings in the 1960s at the Defense Advanced Research Projects Agency (DARPA),3 and at that time was primarily used and understood by government and academic researchers. It was several decades later in the 1990s that the Internet experienced swift acceptance by the general public.4 The rapid acceptance of the Internet into the public mainstream was primarily fueled by the widespread adoption of browsers5 and the World Wide Web.6 Browsers and the World Wide Web allowed Internet users to begin easily accessing information contained in the linked computers around the globe that comprise the Internet.7 Today, for example, anyone with an Internet enabled computer in California could access information about the Coliseum on a Web site housed on a server located in Italy, or send an email to a friend in Japan. This aspect of the Internet which allows a user in one country to communicate, interact, or otherwise affect a user in another country gives the Internet an unavoidable international quality.

As with all great innovations, some bad has come with the good. Programming bugs, computer viruses, malicious hackers, computer fraud, child pornography Web sites, and other abuses of the Internet have grown in prevalence and scale as the Internet itself has become more ubiquitous. One of the most important developments of our time, the Internet, with all of its positive and negative elements, has presented many interesting issues to the international legal community.

One issue that has been particularly impacted by the Internet is consumer privacy. The appearance on the Internet of software such as spyware,8 and the practice of online profiling9 through the use of technologies such as Web bugs10 and cookies11 have made privacy on the Internet a hot topic.

However, consumer privacy is by no means an issue unique to the Internet. Companies have long sought to gather as much information about their potential and current customers as legally permissible. Both traditional brick-and-mortar companies12 and dot-coms collect information about consumers in the course of offering products and services. Many companies routinely obtain information about potential and existing customers through surveys, questionnaires, and other methods to better enable companies to target their advertising, and cater to their customer’s preferences.

This collection of information by brick-and-mortar companies through traditional means has sparked some debate, but evidenced by the number of consumers willing to divulge personal information in order to purchase goods and services, the collection of information by traditional means by brick-and-mortar companies seems to have more or less been accepted by the majority of consumers as a necessary byproduct of business.13

Data collection that occurs on the Internet on the other hand, has been met with greater resistance. Online data collection has been a point of contention between privacy rights advocates and consumer protection entities on one side, and dot-coms on the other.14 Further complicating the issue is the fact that national governments have chosen to deal with online consumer privacy in different ways.15 The issue of online data collection and consumer privacy has been litigated in numerous contexts, but the issue has become especially heated when a dot-com files for bankruptcy and attempts to sell the consumer data that it has collected through its website to a third party in violation of its privacy policy.16

While to many it may seem fair that a company should not be allowed to sell its consumer data in violation of its privacy policy, this comment will argue that a company should be permitted to sell consumer data in bankruptcy even if such a sale would violate its privacy policy.17 The specific issue of whether or not a bankrupt dot-com should be able to sell consumer data in violation of its privacy policy to a third party is far from settled in United States law, although it has appeared in the bankruptcy courts.18 In particular, this issue was raised but not fully resolved in In re – a case that shall be examined closely.19 This comment will analyze the issue presented in the case and explain why both policy and existing law support permitting such a sale.

With the ultimate goal of showing why a sale of consumer data in bankruptcy should be permitted with certain qualifications, an examination of the nature of the information collected through Web sites will be necessary. It is the nature of the data that a dot-com has collected via its Web site and pursuant to its privacy policies that is at the crux of the issue, and a legal definition of this data is critical.

The exploration of consumer data and privacy policies will require an examination of bankruptcy law, contract law, property law, and consumer privacy rights. Such a legal analysis should determine whether or not consumer data is property, and if so, whose property it is. An examination of the law will also reveal whether or not a privacy policy is part of an enforceable contract, and if so, what remedies should be available for its breach. Part II of this comment will examine these and other legal issues as they relate to the definition of consumer data obtained through Web sites, and whether the sale of such data by a failed dot-com to a third party should be permitted.

Part II will begin by examining the relevant bankruptcy law and how a Bankruptcy Court would likely deal with a dot-com that attempted to sell its consumer data in violation of its privacy policy. In re and other pertinent cases will be discussed, along with proposed legislation which would attempt to address this issue.20

In addition to examining bankruptcy law, part II will explore both contract and property law in taking on the task of defining consumer data collected through Web sites, and the privacy policies which have become very common on Web sites today. The current legal framework concerning consumer privacy rights in the United States and Europe will also be discussed. The examination of the current consumer privacy rights legal framework in the United States will include federal and state law, and self regulation. European law and its effect on the current United States legal climate in the area of consumer privacy rights is also essential to the analysis because it has had a significant impact on ecommerce21 in the United States.

Part II will also briefly cover a recent history of consumer privacy law in the European Union (“E.U.”),22 and will then examine the legal environment as it exists today in the E.U. The E.U. Directive on the Protection of Personal Data23 and the European Convention on Human Rights and Fundamental Freedoms24 are included in the analysis. Also included is the United States reaction to European legislation and policy, and the Safe Harbor agreement (“Safe Harbor”)25 which is the result of negotiations between the United States and the E.U. regarding consumer privacy online. An understanding of Safe Harbor and its implications is critical to the overall analysis because of its international impact on consumer privacy online.26

Part III will draw conclusions based on the analysis in Part II and will discuss the benefits and liabilities of allowing the sale of consumer data in bankruptcy. Part III will make both legal and cost/benefit-analysis arguments in favor of allowing the sale of consumer data in bankruptcy to third parties. Finally, recommendations for future action in this area of the law will be made along with suggestions for a new treaty.27


A. Bankruptcy Law
i. Background

There are at least two fundamental questions at the heart of bankruptcy law. One question is how to reconcile the use of bankruptcy law to benefit the insolvent debtor with its use to assist the creditors.28 Should bankruptcy law be structured primarily in favor of the debtor or in favor of the creditor? This debate has existed in the United States at least as far back as the Civil War.29 One of the concepts underlying the arguments made by those favoring debtors is that bankruptcy offers the worthy debtor a “fresh start.”30 This concept views bankruptcy as a tool for the overburdened debtor to make good with creditors and begin again with a clean slate. The perceived strength of the fresh-start concept as an argument in favor of a pro-debtor system has varied over time, along with the tilt of the bankruptcy laws. However, the United States has never had a completely pro-debtor system.31 At the very least, bankruptcy law has traditionally given special status to certain property interests (e.g. mortgages) of creditors so that whether or not the debtor is entitled to a completely fresh start has always depended on the nature of the debt.32

Another fundamental issue in bankruptcy law concerns the efficient distribution of the debtor’s insufficient assets among multiple creditors with valid claims on those assets.33 Bankruptcy law has historically sought to resolve the tendency of creditors to “race to the assets” of the debtor by providing a framework under which the assets get apportioned rationally among creditors.34 This unsurprising tendency of creditors to race to the assets derives from the zero sum character of bankruptcy: one creditor’s gain is normally another’s loss. Bankruptcy law attempts to resolve this win-or-lose situation by placing creditors in certain classes, with some receiving their assets before the others (who simply get what is left over, if anything).35 Bankruptcy thus attempts to distribute insufficient assets to creditors in a clear, fair, and efficient manner.

Bankruptcy law also attempts to avoid wasting assets in a bankruptcy proceeding. On the pro-debtor side of the coin, there are circumstances in which the trustee of the estate36 may completely reject contractual obligations in order to sell assets.37 The effect of this power to reject contractual obligations is intended to enable a trustee in bankruptcy to take advantage of a contract by fulfilling its obligations if that would benefit the estate, or reject the contract if it would pose a burden on the estate.38

In addition to attempting to resolve questions concerning rights of debtors and creditors, the courts and law makers have had to grapple with the macroeconomic effects of bankruptcy law. For example, the manner and efficiency with which assets get distributed to creditors (which depends on the structure of the bankruptcy law) has an effect on the cost of credit.39 This is true because part of a creditor’s risk analysis will be its perception of how probable it is that the creditor will be able to collect debts in general, and in the event of bankruptcy in particular.40 The less efficiently assets are distributed in bankruptcy, the greater the perceived risk associated with bankruptcy, and therefore the more credit will cost in order to compensate for the added risk. This negative macroeconomic effect can be minimized by expediting the collection process for creditors in bankruptcy. At least two goals of bankruptcy law are to encourage the maximization of the value of the estate so as to come as close as possible to satisfying all debts, and to do so as fast as possible. The existence of provisions which enable a debtor to reject contractual obligations reflects this goal of value maximization and waste avoidance.41

ii. Bankruptcy Law Applied to Consumer Data

With all of the competing interests the bankruptcy laws have to address42 it is unsurprising that debtors and creditors have at times been rather creative in finding valuable assets. One example of this creativity is the sale of consumer data collected online. The sale of consumer data has become big business because of the data’s value to companies. This data is valuable because of its many uses, including marketing, and tracking sales trends and market share.43

After the technology bubble of the 1990s burst, insolvent dot-coms quickly discovered that the consumer data they had collected in the course of doing business was a valuable asset. Traditionally, bankruptcy laws have permitted the sale of consumer data.44 In general, consumer data is considered property of the company that collected it, and can be sold as part of the business or separately, as the company sees fit.45 As noted above, such consumer data can be quite useful, and often is the failed dot-com’s most valuable asset.46

There does not seem to be a strong legal argument for restricting the sale of such assets unless the insolvent company that collected the data did so under a privacy policy which prohibits or restricts such a sale.47 In such a case the nature of the privacy policy becomes critical to the analysis.48 Some might view a privacy policy as creating a contract between the company and consumer. Whether or not a privacy policy would create a contract, and if so, what the remedy should be for its breach, is best answered by examining the nature of the privacy policy under contract law.

B. Contract Law

If a bankrupt dot-com has collected consumer information in the absence of a privacy policy, the trustee of the estate must sell the consumer data in order to maximize the value of the estate.49 Mandating the sale of consumer data in this situation (where the dot-com has not made promises restricting the sale of the data) is in harmony with bankruptcy law’s perennial goal of value maximization. However, when a privacy policy existed at the time the data was collected, the nature of that privacy policy becomes crucial. The question becomes whether the sale of consumer data is permissible when it was collected pursuant to a privacy policy restricting such a sale. The answer to this question in turn depends on whether or not a privacy policy would qualify as an enforceable contract and in what respects.

At the most fundamental level, a privacy policy does seem to embody the elements of a contract. For example, in a typical case the dot-com (via its privacy policy) is promising to protect the consumer’s information and not to sell it to third parties. The consumer, in purchasing the company’s goods or services, is promising to provide (or in some cases providing) the information. Thus at a fundamental level we have an exchange of promises that looks like it forms a contract.50

This contract formation can also be conceptualized in terms of offer, acceptance, and consideration. Under this conceptualization, the Web site advertisement serves as an offer made by the dot-com,51 and the privacy policy could be viewed as some of the terms of the offer. The consumer, in submitting her personal information and paying for the goods or services online, accepts the dot-com’s offer. Consideration for the dot-com’s promise of privacy comes in the form of money and in personal information. Consideration for the consumer is goods or services, and perhaps whatever assurances were made in the privacy policy regarding her personal information.

While at first this offer, acceptance, and consideration conceptualization may seem straightforward, a problem arises upon further examination of the consideration in this typical scenario. The valid formation of a contract, in addition to the basic requirement of the existence of a promise or promises, requires consideration.52 Without consideration, a contract is potentially unenforceable.53

While consideration has been defined in various ways throughout the history of contract law, presently it is most commonly referred to as part of a “bargained for exchange.”54 Under the bargained-for-exchange theory, essentially anything that anyone could bargain for in exchange for a promise could be consideration for that promise.55 The issue in the case of goods or services sold and information collected pursuant to a privacy policy becomes whether or not the dot-com’s promise not to sell the consumer’s data to a third party was actually bargained for by the consumer.

In order to bargain for the promises in a dot-com’s privacy policy it would seem reasonable that consumers would need at least to be aware of the privacy policy and to have read it. Otherwise how could a consumer have sought after, or bargained for the promises contained in the privacy policy? The situation in which a consumer does not read a privacy policy before purchasing goods or services occurs more often than perhaps some would think. Surveys and studies reveal that not many consumers even read privacy policies before purchasing goods or services from a Web site, and most of those that do only glance at the policies.56 Even those consumers that do intend to read privacy policies will often find that they are required to click on several links in order to find them, and when they do find them the policies can be long and difficult to read. Such consumers with initial intentions to read a privacy policy may find it too difficult and decide to merely skim over it, or skip it all together.

If a consumer does not even read the privacy policy, it is difficult to view such a consumer as seeking or bargaining for the promise not to sell the consumer’s data to third parties. The Restatement Second of Contracts in section 75 requires that the consideration be “sought by the promisor in exchange for his promise.”57 The case where the consumer does not read the privacy policy would seem to lack consideration under this requirement. However, regardless of whether or not the consumer has read the privacy policy, ultimately the determination of the existence of a bargained-for exchange is a question of fact, and so will depend on the circumstances of a given case.58 Courts adhering to the principles of the bargain theory will likely look to the promisor’s purpose and means in making the promise.59 If the consumer was unaware of the privacy policy’s existence it does not seem as though the consumer is seeking to induce the terms promised on the privacy policy (terms including the promise not to share her data with third parties).

The fact that privacy policies and other online documents such as license agreements (when not conspicuous or required to be read) are in most cases not really part of the parties’ bargaining process argues in favor of not enforcing them as contracts. Some courts have agreed with this logic. In Ticketmaster Corp. v., Inc.60 the United States District Court for the Central District of California found that a license agreement61 which was posted on Ticketmaster’s Web site and linked to at the bottom of the Ticketmaster Web site home page did not form a contract with Web site visitors because it did not force visitors to assent to the license before accessing Web pages.62 The court noted that “the terms and conditions are set forth so that the customer needs to scroll down the home page to find and read them.”63 The court also noted that Ticketmaster’s license agreement was different from many other company’s license agreements in that the Web site visitor is not forced click on an “agree” button before accessing the Web site and its services.64 The court went on to say in its opinion “It cannot be said that merely putting the terms and conditions in this fashion necessarily creates a contract with any one using the web site.”65

The Ticketmaster outcome makes sense in that, as the court seems to suggest, it cannot be assumed that Web site visitors read the license agreement before accessing the Web site. After all, how can something enter into the bargained for exchange if it was not even known to exist by one of the parties?

The United States Second Circuit Court of Appeals employed nearly identical reasoning in Specht v. Netscape Communications Corp.66 in which it found that when internet users downloaded software from Netscape Communication’s Web site, they did not manifest assent to the terms of a license agreement posted on the Web site. The license agreement was located on a submerged screen, and the court found that a reasonably prudent internet user would not have known or learned of the existence of the license terms before responding to Netscape Communications' invitation to download software.67

Although it is true that cases such as Ticketmaster and Specht involved buyers (or free software users) instead of sellers arguing in favor of not finding a binding contract, the principle remains the same. Why should either party be bound to the terms of a privacy policy that one party did not even read? Regardless of the relative bargaining positions of the parties involved, these cases show that there may be difficulty for a consumer who has not read a privacy policy in establishing that that policy is tantamount to a contract.

C. Contract Law and Bankruptcy Law Revisited

Even if a privacy policy survives attacks claiming a lack of consideration and is viewed as part of a contract between the company and the consumer, the nature of that contract must be determined. A privacy policy might be considered an executory contract. The question whether or not a contract is executory is important in the bankruptcy context because it may be determinative of the debtor’s ability to breach the contract (privacy policy) and sell consumer data.68

The bankruptcy code does not define the phrase “executory contract,” and jurisdictions are divided on an appropriate test.69 Some jurisdictions determine whether or not a contract is executory by applying the traditional “Countryman” test.70 A contract is considered executory and therefore meets the Countryman test only where the obligations of both parties to the contract “are so far unperformed that the failure of either to complete performance would constitute a material breach excusing the performance of the other.”71

It is possible but doubtful that a court would find a privacy policy to be an executory contract under the Countryman test. In the typical situation, the consumer has purchased goods or services, paid for and received the goods or services, and provided information in the process.72 Essentially the transaction is complete and the only obligation that remains to be performed is the company’s promise to keep the consumer information confidential and to not sell it. While this might be considered “so far unperformed” as to constitute a breach if the company does not fulfill its promise, the consumer has presumably at this point completed her end of the bargain.

Other jurisdictions subscribe to a more modern test in which a contract is considered executory if any obligation by the debtor remains.73 Under this test a court would likely find the privacy policy to be an executory contract. The failed dot-com’s remaining obligation is its continuing promise to not divulge the consumer’s information or to sell it to a third party. This continuing obligation creates an executory contract.

Under section 365 of the Bankruptcy Code, an executory contract may be rejected subject to the court’s approval.74 If the contract were considered executory, then the one hurdle remaining for the debtor would be getting the court’s permission which is required for rejecting the contract under section 365(c).75

Here the court obviously has a choice, and in the situation where a successor in interest in a similar line of business is waiting to purchase the consumer information, the court should allow the rejection of the privacy policy and permit the sale.76 The consumer’s privacy interests are adequately protected by only allowing such a sale to a successor in interest operating the same type of business as the debtor.77 The successor in interest would also be required to agree to otherwise abide by the privacy policy pursuant to which the consumer data was collected. This rejection of the executory contract and accompanying sale of consumer data will aid in maximizing the value of the estate in pursuit of bankruptcy law’s goal of avoiding waste where reasonable.

D. Property Law

So what exactly is this customer data that dot-coms collect from consumers? In order examine contract and bankruptcy law more meaningfully, it is important to define as best we can the data that is collected. It must be determined whether such information should be considered property and properly part of the bankruptcy estate.78

Typically the consumer data that is collected pursuant to an online privacy policy is a list of customer names along with information about those customers.79 Information collected on a Web site can be divided into two categories. In one category, the information is actually asked for as part of a transaction. An example of a method of collecting this type of information would be a Web form80 or online questionnaire that the consumer is asked to fill out before purchasing goods or services.

The other category of information collected is information that is simply gathered as the consumer interacts with the dot-com’s Web site.81 An example of information in this category is information about which Web pages a Web site visitor has viewed or the type of browser a visitor is using to view the Web pages.82

Information in the first category that is requested directly is most often gathered through the use of Web forms or online questionnaires that must be filled out by the prospective customer before purchasing goods or services from the dot-com.83 This form of information gathering probably causes less concern to the average consumer who at least is aware of the data being collected.84 It is the second form of information gathering that is more likely to worry some consumers.85

Although new technologies and the online environment have made this second, surreptitious form of information gathering more common, it is not unique to the Internet. One example of its practice in the brick-and-mortar business world is the use of ‘discount’ or ‘membership’ cards by grocery stores. Many consumers who shop at major grocery stores with these discount or membership cards may not realize that beyond saving a few cents on a bag of chips they are also facilitating the company’s collection of data concerning the consumer’s shopping habits.86 The grocery store then uses this information for marketing purposes, and in come instances will share the information with third parties.87 All that new technologies and the online environment have done is make the compilation of such customer lists much easier, and in many cases more valuable than lists accumulated by brick-and-mortar companies.88

Property, at the most general level, could be defined as an aggregate of valuable rights or interests in a thing which are protected by law.89 More specifically, property refers to ownership; “the unrestricted and exclusive right to a thing…”90 The “exclusive right” to a thing refers to fundamental rights associated with property, such as the right to exclude, transfer, possess, and use.91 These fundamental rights have been recognized by common law not only in owners of existing things, but also in owners who have created new entities.92

Entities, such as customer lists, which are comprised of individual pieces of information and which by themselves may not be very valuable, can become quite valuable when compiled in a meaningful way.93 The creation of customer lists has been viewed by the courts as just such an valuable entity, and consequently in many cases has been given trade secret status.94 There is strong support for this treatment of customer lists as trade secrets in the Uniform Trade Secrets Act.95 Many dot-coms’ customer lists would likely be included in the Uniform Trade Secrets Act’s definition of trade secrets, which includes information that is compiled and that “derives independent economic value… from not being generally known to, and not being readily ascertainable through proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”96

The treatment of customer lists as trade secrets, and the recognition that they are entities of value argues in favor of their status as property. The question becomes whether this entity (customer list) is property of the dot-com which it has a right to sell in bankruptcy. Bankruptcy courts answer this question in the affirmative – finding that such customer lists are valuable assets to be included as part of the estate under section 54197 of the bankruptcy code.98

E. Consumer Privacy Rights
i. Consumer Privacy Rights in the E.U.

The E.U. has taken a substantially more protective approach to consumer privacy online than the U.S. since the explosion of the Internet in the 1990s.99 This is at least partially a result of the fact that European countries tend to view privacy as a “fundamental right.”100

A comprehensive overview of the history of European privacy law is beyond the scope of this comment. However, some background will be helpful and will be achieved by examining the European Convention on Human Rights and Fundamental Freedoms (“ECHR”).101 The ECHR is a fairly lengthy and complicated document and this section is only intended as a general overview of the Convention. The Council of Europe (“Council”), which was founded in 1949 in “order to promote greater cooperation and understanding between European states”, drafted the ECHR.102 The Universal Declaration of Human Rights103 (“UDHR”) served as a guideline for the ECHR, but from the beginning the ECHR, unlike the UDHR, was intended to be a binding legal document.104

The ECHR guarantees, inter alia, the right to privacy. Article 8 states:
(1) Everyone has the right to respect for his private and family life, his home and his correspondence.
(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.105

Thus the Article sets up a two-part test in determining if there has been a violation of this Article. First, has there been an intrusion on the right of privacy? Second, is the governmental interference justified?

If an individual or state alleges a privacy violation, they can apply to the European Commission of Human Rights (“Commission”)106 for relief under the ECHR.107 If the Commission decides that there has been a prima facie violation, then the matter is investigated and the Commission seeks a friendly settlement between the applicant and the state.108 If a settlement cannot be reached, the Commission prepares a report stating an opinion as to whether the ECHR has been breached or not.109 The Commission or the state may refer the case to the European Court of Human Rights within a period of three months after the Commission’s decision.110

The ECHR is perhaps more far reaching than any privacy legislation in the United States, but does not have as direct an effect on American companies doing business with European consumers as other European legislation does. Perhaps the most important European legislation for issues regarding privacy rights online is the Data Protection Directive (“Directive”),111 which was adopted by the E.U.’s Council of Ministers on October 24, 1995.

After the Directive’s adoption, E.U. member states were given three years (until October 24, 1998) to bring their respective laws into compliance with the Directive.112 The Directive was then issued in 1998,113 and has since been incorporated as national law by all the E.U. member states except Ireland and Luxembourg.114

The Directive was issued out of increasing concern over the growing trend of companies collecting consumer information, and in order to set a clear standard of privacy for the member nations.115 The Directive has had a greater impact than some would have predicted in the area of e-commerce because the Internet has allowed personal data to be more easily collected and sold.116

The Directive attempts to protect individual informational privacy by imposing an affirmative obligation on E.U. governments and private industries that collect and “process” consumer data to do so only for specified and legitimate purposes.117 "Processing" is interpreted to include any collecting, recording, altering, and making of data available in any form.118 The individual whose data is to be processed must contractually consent to the processing or collection of his or her personal information, or the processing must be necessary to carry out pre-contractual measures undertaken at the request of the individual.119

Organizations can also process data when it is necessary for compliance with a legal obligation, or where the activity involved is an assignment of public interest, not involving an infringement of fundamental rights and freedoms.120

The Directive also grants individuals the privilege of requesting that erroneous data be corrected, and dictates that individuals must be given notice before any information may be collected or processed in any way.121 The notice must tell the individual why the information is being collected and any intended future uses of the collected data, and "the types of third parties to which [the organization] discloses the information and the choices and means the organization offers for limiting its use and disclosure."122

The Directive can best be described by noting its most fundamental principles, which can be found in Article 6:
1) Personal data has to be “processed fairly and lawfully.”123
2) Personal data can only be “collected for specified, explicit and legitimate purposes.”124
3) The data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”125
4) The data has to be accurate and contemporary. If the data does not comport to this requirement, it must be erased.126
5) The data has to be kept in such a manner as to enable the identification of data subjects.127

The Directive also has an effect on entities beyond companies and consumers in E.U. member states. The Directive contains several provisions that deal with the flow of information and data across international borders.128 Those provisions essentially require that any personal data flowing out of member states must be adequately protected by the receiving country.129 The protections the receiving country must provide need to comply with the provisions of the Directive as if the receiving country were essentially an E.U. member state.130 There are, however, exceptions to this general rule.131

Examples of exceptions are when the subject of the personal data has fully consented to the transfer and use of the data in question, or when the transfer of personal data is necessary for an important public policy reason.132 Member states decide whether the receiving country has laws in place that adequately protect the personal data to be transferred.133 This decision will depend on the nature of the personal data and the method of transfer as well as the receiving country’s legal structure regarding privacy.

ii. Consumer Privacy Rights in the United States

While the E.U. has implemented relatively broad-based data protection legislation primarily in the form of the Data Protection Directive discussed above, the United States has generally been more hands-off in privacy regulation.134 The United States hands-off approach to privacy regulation on the Internet can be traced to an overall laissez faire attitude towards the Internet generally.135 This hands-off approach has relied more on industry self regulation than on broad-based legislation of the kind seen in Europe.136

The United States Constitution does not directly protect individual privacy, but the constitution has been interpreted to protect individual privacy – primarily from federal or state government invasion.137 The U.S. approach has been less in recognition of an explicit and absolute fundamental right to privacy, and more a balancing between the right to privacy and society’s interest in putting to use an individual’s information.138 Generally the U.S. has dealt with consumer privacy issues relating to the Internet through federal and state statutes and regulations, and through case law.139

a. Statutes

Congress has passed a number of statutes which strive to protect individual privacy rights in personal information. Statutes that affect the issue of whether or not a dot-com should be allowed to sell consumer data in bankruptcy are addressed below, as are important pieces of legislation in the area of consumer privacy, but an exhaustive survey of all consumer privacy related statutes is unnecessary.

The Fair Credit Reporting Act (“FCRA”) is a fairly comprehensive statute passed by congress in 1970.140 The FCRA essentially dictates when information about consumers may be released without the consumer’s consent.141 The FCRA’s purpose is to ensure that consumer information on credit reports is confidential, relevant, and accurate.142 The FCRA notes that consumer reporting agencies have an important role in assembling and evaluating consumer credit and other information on consumers. The act states in part that “it is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information…”143

The FCRA does therefore address information collected online through Web sites, but it is explicitly targeted at credit-reporting companies. The FCRA says nothing about information collected by other entities (e.g. lists describing consumer preferences or biographical information) or even consumer information purchased by other entities from credit agencies or credit card companies.144

The Federal Privacy Act (“Privacy Act”) was passed by Congress in 1974.145 Like the FCRA, the Privacy Act is targeted at a certain class of data collectors which in the case of the Privacy Act is federal agencies.146 Similar to the FCRA in its treatment of personal information, the Privacy Act dictates that federal agencies may collect personal information to the extent that the data is relevant to accomplishing the agency’s goal.147 In another respect similar to the FCRA, the Privacy Act mandates that information collected must be accurate.148 This is just one of many examples of regulations affecting the federal government’s ability to use and disclose personal information.149

An example of a statute that is broader in its potential application to entities that collect information, yet more restricted in the type of information it applies to is the Video Privacy Protection Act (“VPPA”).150 The VPPA essentially prohibits the disclosure of consumer video rental histories.151

Although this statute prohibits the disclosure of information that could have been collected online, just as other statutes discussed above, it does not seem to directly apply to the fundamental issue of this comment which concerns the initial collection of personal information and then the sale of that information in bankruptcy.152

Perhaps the most pertinent piece of legislation to date (as to the issue presented in this comment) is a statute enacted by Congress to protect personal information collected online pertaining to children. The Children’s Online Privacy Protection Act (“COPPA”) was enacted in 1998 to provide safeguards for the use of information collected from children under the age of thirteen.153

Generally the COPPA regulates operators of Web sites directed to children that collect information from children.154 Some of the requirements of the COPPA include that such Web site operators provide notice on the Web site of “what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information…”155 Furthermore, the COPPA requires parental consent for the collection and use of personal information, a description of the type of information collected, and the opportunity to refuse to permit the Web site operator’s continued use of the information.156

While fairly far-reaching when it comes to children under the age of 13, the COPPA, like other statutes dealing with data collected online, does not really deal with the issue of a dot-com selling data in bankruptcy, at least at a fundamental level (insofar as it does not apply to all persons). After all, the vast majority of consumers online are persons over the age of 13.157 In effect what Congress has done thus far is target legislation at specific industries or issues, but it has left the general issue of online privacy to industry self regulation.158

b. Case Law
1. FTC Cases

The FTC has by far been the most active federal authority in enforcing consumer privacy online. The FTC typically will file suit against a dot-com which is in violation of the Federal Trade Commission Act (“FTCA”).159 A common violation has been when a dot-com has engaged in a “deceptive practice.”160 15 U.S.C. section 45 states in relevant part: “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”161 The FTC will find an act or practice deceptive if it has three elements: 1) there is a representation, omission, or practice that, 2) is likely to mislead consumers acting reasonably under the circumstances, and 3)the representation, omission, or practice is material.162

The first FTC case involving consumer privacy online was In re GeoCities.163 GeoCities is a dot-com which offers a wide array of services online.164 The FTC alleged that GeoCities sold and disclosed personal information to third parties for purposes other than those for which consumers had given permission, and contrary to the GeoCities privacy policy.165

GeoCities and the FTC settled pursuant to a consent order which required GeoCities to post a privacy policy notifying consumers “what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information.”166

The GeoCities case was one of many cases in which the FTC sought to police online privacy. These and other cases deal with the periphery of the principal issue of whether an insolvent debtor should be permitted to sell data collected online in bankruptcy. There are cases which have dealt with and defined the sort of customer lists addressed in this comment – but the courts are split on the treatment of customer lists collected online.167 There have been very few cases dealing with the specific issue of dot-coms selling personal information in bankruptcy. One case that did address this specific issue is In re was a Web site that sold educational children’s toys over the Internet.169 As part of doing business over the Internet, collected information about consumers that purchased toys on its Web site.170 The information collected included names, addresses, shopping preferences, and family profiles.171

The information collected pertained to people who visited the Web site or purchased toys from, and included information collected from children under the age of 13.172 As did many dot-coms in the late 1990s, ran into financial difficulties, and its creditors filed an involuntary chapter 11 action against it. then sought to sell its customer data base, which included the information it had collected on its customers.173

The proposed sale of customer information was in violation of’s posted privacy policy, which had a Trusted Universal Standards in Electronic Transactions (“TRUSTe”)174 seal of approval on it.175 The privacy policy stated in relevant part: “Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party.” The policy also stated: “When you register with, you can rest assured that your information will never be shared with a third party.”176

The FTC determined that was in violation of COPPA and sued in a Massachusetts district court to enjoin the sale of the consumer information.177 This was the FTC’s first suit under the COPPA, but the issue was not resolved in court.178 The FTC and decided to settle.179 The FTC-approved settlement agreement prohibited from selling information from its customer data base as a “stand-alone asset.”180 However, the settlement did allow to sell the information to a “qualified buyer”181 in a “related market” that “expressly agrees to be Toysmart’s successor-in-interest as to the customer information.”182 This was considered to be consistent with’s privacy policy because such a qualified buyer would essentially treat the consumer information just as had.183

The district court did not share the FTC’s position on allowing a qualified buyer purchase the customer database and did not approve of the settlement agreement.184 Subsequently the issue was resolved when Walt Disney Company Incorporated (“Disney”), the parent company of, decided to purchase the customer list and destroy it.185 It is unclear how the case would otherwise have been resolved if Disney had not decided to end the dispute by destroying the information. Obviously, the value of the information was lost when the information was destroyed. For what, one might ask? What exactly was the bankruptcy judge trying to accomplish by not allowing the two parties to settle the dispute? If it was to protect consumer’s privacy rights, was this really accomplished? Would consumers’ privacy rights have been compromised if their information had been sold to a successor-in-interest which operated in the same industry as the debtor? Perhaps the greatest good for the greatest number of interests involved would have been better served had the bankruptcy judge allowed the settlement agreement as proposed by the FTC and

2. Common Law Tort of Invasion of Privacy

There are four separate common law torts of invasion of privacy: intrusion upon seclusion, public disclosure of private facts, false light, and misappropriation of name or likeness for commercial purposes.186 None of these common law torts seem to apply to the situation where a failed dot-com sells consumer data in violation of its privacy policy. The torts of intrusion upon seclusion and public disclosure of private facts do not provide recourse to the complaining consumer because the information was obtained voluntarily in the first place.187 False light does not apply because the consumer would not allege that the dot-com is selling false information, but simply that they are selling private information.188 Misappropriation of name or likeness for commercial purposes does not seem to fit either, mainly because the ‘misappropriation’ the tort refers to does not apply. Dot-coms are not using the consumers’ name or likeness to advertise or provide some sort of testimonial for a product or service, but rather dot-coms are selling the data for money so that other companies may use that data in conjunction with other consumers’ information to make targeted marketing decisions, or perhaps to predict product trends.189

c. Self Regulation

The United States has traditionally sought to enforce online privacy rights by industry “self-regulation.”190 Industry self-regulation is seen by many to be the most effective and least intrusive way to enforce privacy rights on the Internet.191

TRUSTe is a good example of an organization that has played an active role in the online community’s self-regulation. One of the goals of TRUSTe is giving online consumers “control over their personal information.”192 One of the ways TRUSTe attempts to accomplish this goal is by allowing its “privacy seal”193 to be placed on Web sites that comport with TRUSTe’s guidelines.194

Other examples of such watchdog organizations include, BBB Online (Better Business Bureau), and The Electronic Privacy Information Center.195 There are alliances consisting of major online companies such as the Online Privacy Alliance (“OPA”) whose members include America Online, Microsoft, Intel, and others.196 The OPA seeks to “support self-regulatory initiatives that create an environment of trust and that foster the protection of individuals’ privacy online and in electronic commerce.”197 Organizations such as the OPA have had varying levels of impact on consumer privacy online. Some have been successful, but as the FTC noted in its report to Congress on privacy online in 2000, self-regulatory initiatives have been successful to a certain extent, but have not fully resolved the issues of privacy online.198 It is difficult, however, to imagine any self-regulatory system or statutory scheme that would ever completely resolve all the issues associated with privacy online. Progress has been made through industry self-regulation, and furthermore, in the world’s leading market economy whenever there is demand it is probably safe to assume that companies will respond to that demand with products and services.199

iii. E.U. and U.S. Law Interaction: Safe Harbor

Given the state of U.S. online industry self-regulation it was clear at the time of the passage of the E.U. Directive that some U.S. companies might not be in compliance.200 The possibility of a significant loss in trans-Atlantic trade was enough to concern U.S. authorities, and intergovernmental negotiations commenced in 1998.201 These negotiations aimed to establish an agreement, or “Safe Harbor” to allow U.S. companies continued access to European consumers.202 The E.U. and U.S. did establish such an agreement which resulted in the Safe Harbor and its seven principles.

The seven Safe Harbor principles are:
1) Notice: among other requirements, the notice principle requires that the organization inform individuals about all purposes for which it collects and uses information, and the types of third parties to which it discloses the information. This notice must be clear and conspicuous, and given when individuals are first asked to provide personal information.203
2) Choice: this “opt out” principle mandates that the organization give the individual a choice whether their personal information is to be disclosed to a third party or to be used for a purpose that is incompatible with the purposes for which it was originally collected.204 For especially sensitive information, the individual must opt in before the information can be disclosed to a third party.205
3) Onward Transfer: the organization who wishes to transfer collected information (after the Notice and Choice principles have been satisfied) to a third party, must ascertain that the third party subscribes to the Safe Harbor principles or is subject to the Directive.206
4) Security: organizations collecting personal information must take reasonable precautions to protect it from loss, misuse, and unauthorized access, disclosure, alteration and destruction.207
5) Data Integrity: information must be relevant for the purposes for which it was collected, and the organization should take reasonable steps to ensure that the collected information is reliable, accurate, complete, and current.208
6) Access: individuals must have access to their personal information.209
7) Enforcement: there must be mechanisms for assuring compliance with the Safe Harbor principles – including remedies for individuals in the case of non-compliance.210

While perhaps more restrictive to dot-coms than an entirely self-regulated environment, the Safe Harbor principles are generally less restrictive than the Directive itself.211 On the other hand, companies that take part in Safe Harbor are essentially entering into an agreement with the Commerce Department and the E.U.212 As evidenced by the Safe Harbor’s principles 2 and 3, a bankrupt dot-com that falls under the purview of Safe Harbor may be in violation when it attempts to sell its consumer data. However, this may be in direct conflict with what is allowed under bankruptcy law.213 The outcome of a case involving a bankrupt dot-com which subscribed to Safe Harbor and attempted to sell its consumer data in potential violation of Safe Harbor would partly depend on the enforcement mechanism of Safe Harbor. In theory, the Safe Harbor enforcement mechanism is to be carried out by a system that the company set up in compliance with the Safe Harbor principles.214 If this mechanism fails, the last resort in enforcement is the FTC or other federal authorities which would have jurisdiction depending on the case.215 Federal authorities, in such a case, might recognize that this type of sale would benefit the estate by maximizing its value, and that consumer privacy interests are protected if the sale is made to a successor-in-interest. The FTC showed its willingness to allow just such a sale in In re as mentioned supra.216


Perhaps a straight-forward solution to the issue from the dot-com perspective would be for dot-coms to simply state on their privacy policies that they reserve the right to sell consumer information to a successor-in-interest if the dot-com becomes insolvent.217 Yet a better online world would be one in which there is a treaty expressly allowing the sale of consumer data by an insolvent company to a successor in interest even if such a sale would violate the failed company’s privacy policy.218 Such a proposed treaty would allow a bankrupt business to sell consumer information so long as the purchaser agrees to be the failed business’ successor-in-interest and is essentially engaged in the same business as the insolvent debtor. This treaty would operate much like the proposed settlement between the FTC and discussed above.

Even the FTC, which has been the most active governmental enforcement mechanism of consumer privacy online, agreed with a scheme in which a bankrupt dot-com would be able to sell consumer data to a successor-in-interest. Although flexibility may be a benefit in granting bankruptcy judges the discretion to allow or disallow such a scheme (as does the current United States legal framework, made apparent by the outcome in the case), much clarity could be gained by establishing a treaty.219 Such a clear treaty would help guide both consumer and company expectations, while, as the FTC recognized in the case, maintaining consumers’ privacy interests.

Such a treaty would also avoid the wasteful destruction of valuable information. One benefit of avoiding the destruction of valuable information is that it lowers the cost of credit. If creditors know that consumer information can be sold and therefore has value in a bankruptcy proceeding, the cost of extending credit will diminish accordingly.

Consumer information is most valuable when a substantial amount of it is aggregated, and it derives most of its value from the ability of companies to use it in targeted marketing and customizing consumer’s experiences at the companies’ Web sites.220 The ability to customize consumers’ experiences on a company Web sites is not only valuable to the company, but is of value to many consumers as well. Such customizations can make a consumer’s experience on a company Web site much more enjoyable and efficient. In addition, consumers and companies both benefit from targeted marketing of products and services made possible through the collection of consumer data. The companies save advertising dollars by being able to target consumers that are more likely to purchase their products or services, while consumers will enjoy advertising tailored to their interests, and will benefit from lower prices resulting from less money spent on wasteful advertising.

This proposed treaty would treat the promise on a dot-com’s privacy policy to keep user information confidential and not to sell it to third parties just like any other contractual promise. The treaty would treat the breach of a privacy policy that promises the company will not sell consumer information in bankruptcy as an efficient breach – but only if the sale otherwise complied with the statute.

Such a treaty might also re-kindle venture capitalists’ interest in dot-coms.221 Venture capitalists would be assured that dot-coms that fail at least might have valuable consumer databases to sell in bankruptcy. This would decrease the risk associated with investing in dot-com startups, and would increase the funding available to them.

Beyond avoiding waste, rekindling venture capitalist investment, lowering the cost of credit, and other economic benefits to all parties involved, the proposed treaty would adequately protect consumers’ privacy interests. As noted above, most consumers do not even bother to read a privacy policy before purchasing goods or services online, so it is unlikely that the majority of consumers are even concerned with a dot-com having their name and other biographical information. Consumer information is most valuable to companies when a large amount of it is aggregated, and it is in this form that it is often transferred. But it is in this form that it should be of the least concern to the consumer. After all, the consumer’s information (if personally identifiable at all) is just one of many others’ information.

In the case of the consumer who has actually read the dot-com’s privacy policy and accepted its terms by doing business with the dot-com, it seems as though even she has little justified concern if the bankrupt dot-com is merely selling her information to a company pursuant to the proposed treaty. In such a case, not only has the purchaser agreed to treat her information just as the bankrupt dot-com promised to, but it is also in the same industry as the bankrupt dot-com. This assures the consumer that her information will be used in the same sorts of ways, and by the same sort of company that it was acquired by in the first place. This is true because the purchaser would have to qualify under the proposed treaty and would operate in the same business as the failed dot-com. In other words, the information would be used for whatever purposes it was being used for when the consumer consented to the collection of their information.

The courts have allowed the sale of consumer lists in the traditional brick-and-mortar company context. The proposed treaty would simply apply the same analysis and allow the sale of consumer lists collected online. Although these lists are obtained in differing ways and utilizing different technologies, the effect of obtaining them is essentially the same.

Finally, for the disgruntled consumer who can actually prove damages for the breach of the privacy policy, the proposed treaty would allow her both general and specific damages. These damages are likely to be small, however, unless there is some abuse of the consumer data that violates other provisions of the privacy policy or the treaty.222


See Kevin Maney, A Century of Innovation, USA Today (1999), at; see also Lemelson-MIT Survey Finds High School Students, Their Parents Agree - and Disagree - on the Most Important 20th Century Inventions, at

Although it is perhaps impossible to determine how many people use the Internet, and therefore equally impossible to determine for how many people the Internet is an important part of their lives, there are many surveys that attempt to estimate how many people use the Internet. How Many Online?, ComputerScope Ltd. (2001), at (estimating the number of people online worldwide to be 605 million); Population Explosion, Jupitermedia Corporation (2003), at,1323,5911_151151,00.html.

The Defense Advanced Research Projects Agency (DARPA) was originally named the Advanced Research Projects Agency (ARPA). Barry M. Leiner, Et Al. A Brief History of the Internet, Internet Society, (August 4, 2000), at

Barry M. Leiner Et Al., A Brief History of the Internet, Internet Society, (August 4, 2000), at

A browser (short for Web browser) is a software application used to locate and display Web pages. An example of a browser is Microsoft’s Internet Explorer which is a graphical browser that allows users to display graphics, video, audio, and text found on the Internet., (2003), at

The World Wide Web was invented by Tim Berners-Lee and is a system of servers that supports HTML (Hyper Text Markup Language) documents. These HTML documents (or Web pages) make enable links, graphics, video, and audio over the Internet. Essentially, the World Wide Web system is the online environment of Web pages that one sees today when navigating the internet. For an outline of the history of the Internet and the World Wide Web, see Robert Cailliau, A Little History of the World Wide Web, World Wide Web Consortium (1995), at

7 Leiner Et Al., supra note 4.

Spyware is also called “adware.” Spyware is software that surreptitiously gathers user information from the user’s computer and Internet connection without his or her knowledge. The information is normally collected for advertising purposes. Spyware is typically downloaded from the Internet embedded in Freeware or Shareware programs. The spyware can be difficult to detect as it often only comprises a component of the desired software. When the spyware has been installed, it monitors user activity on the Internet and secretly transmits that information to another computer. Spyware can gather virtually any information housed in the user’s computer, and information relating to the user’s movement across the Internet. Because the spyware exists as an independent executable program, it has the ability to monitor keystrokes, scan files on the hard drive, snoop other applications such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information to another computer where it is often used for advertising/marketing purposes or to sell the information to another party. The kind of information the spyware program can obtain is unnerving. E.g. spyware can gather information about the Websites the user has visited, e-mail addresses, and even passwords and credit card numbers. Typically users will unwittingly install spyware when they install some other program that they have downloaded from the Internet. Many Internet users have fallen victim to spyware when they have downloaded peer-to-peer file swapping programs that are available today (often for free). Spyware obviously raises issues of privacy. Beyond debatably violating a user’s privacy, spyware also uses the computer's memory, resources, and bandwidth as it sends information back to another computer through the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability. Licensing agreements that come with software downloads sometimes notify the user that a spyware program will be installed along with the requested software, but users may not always read these licensing agreements thoroughly enough to discover the spyware notification. For a definition of spyware, see (2003), at

Online profiling is normally conducted through the use of banner ads displayed on Web pages which are not necessarily selected or delivered by the Web site visited by a consumer, but by network advertising companies that manage and provide advertising for multiple unrelated Web sites. In addition to supplying the banner ads, these network advertising companies normally gather information about the consumers who click on their ads. The data gathered by network advertisers is often anonymous (i.e. the profiles are linked to the identification number of the advertising network's cookie on the consumer's computer rather than information that could be traced back to a particular individual), but in some instances the information gathered from consumers' clicks on Web site banner ads are combined with personally identifiable information. This is information that could be collected via other means and is often combined with information collected through other methods (e.g. surveys). This information is normally collected to allow the network advertisers to better target their advertisements (from the collected data advertising networks can make a variety of inferences about each consumer's interests and preferences). The result of this data collection and linkage is a profile of the consumer’s spending habits, tastes, preferences, etc. These profiles enable the advertising companies' computers to decide which advertisements should be delivered to a particular consumer. See Daniel L. Jaffe’s explanation of online profiling in a memo Donald S. Clark titled: Online Profiling Project – Comment, P994809/Docket No. 990811219-9219-01, at

Web bugs are also called “Web beacons” or “clear GIFs,” and are often used in combination with cookies (see below). A Web bug is normally a transparent graphic image (e.g. a JPEG or GIF file) one pixel by one pixel in size and embedded on a Web site or in an e-mail that is used to monitor the user’s activity while visiting the Web site or viewing/sending the e-mail. The information that is normally gathered by the Web bug when a user visits a Web page (and thereby downloads the image) is the IP address of the user’s computer, the time the Web bug was viewed and for how long, the type of browser that downloaded the image, and information contained on cookies. Web bugs are typically used by a third-party to monitor the activity of a Web site. Sometimes a Web bug can be detected by viewing the source code of a Web page and looking for any IMG tags in the code that load from a different server than the rest of the site. The user can block Web bugs from monitoring his or her Internet activity by disabling cookies in the browser used to navigate the Internet. If the user disables cookies in the browser the Web bug will still account for an anonymous visit, but will not collect any personally identifiable information. See Christopher Saunders, Congressional Group to Study Web Bugs, (February 9, 2001), at

Cookies (named after the Unix programming concept of ‘magic cookies’) are small text files located on a computer’s hard drive that contain messages which are read by Web servers. These small text files are downloaded by a user through his or her browser from a Web server. After downloading the text file, the browser stores the downloaded message on the computer’s hard drive. This text message can then be transmitted back to the server every time the browser requests a Web page from the server. Cookies enable a server to identify users and prepare customized Web pages for them. When a user enters a Web site using cookies, he or she may be asked to fill out an online form providing such information as his or her name and interests. This information is converted into a cookie and sent to the user’s Web browser which stores it for subsequent use. The next time the user goes to the same Web site, the user’s browser will transmit the cookie to the Web server. The server can use this information to present the user with custom Web pages (e.g. instead of seeing just a generic welcome page the user might see a welcome page with his or her name on it). Because of the many benefits of the customization enabled by cookies, cookies have become very popular and are commonly used today on ecommerce Web sites. Viktor Mayer-Schonberger, The Cookie Concept, at; Marc Slayton, An Introduction to Cookies, (November 7, 1996), at

12 The term “brick-and-mortar” company is used to distinguish companies with more traditional business models from “dot-coms” which typically start and exist almost exclusively on the Internet and whose primary contact with consumers is through a Web site (or through other online methods such as email).

13 See Robert L. Eisenbach III, The Internet Company's Customer List: Asset or Liability?, 18 Computer & Internet Law 25, 25 (2001) (stating that brick and mortar businesses regularly purchase and sell customer lists).

For example TRUSTe, an independent privacy seal program, has opposed the sale of consumer data to third parties. For further information about TRUSTe’s opposition to the sale of consumer data to third parties, go to their Web site at

15 The differences in the U.S. and European approaches to this issue will be explored at length, infra, Part II.

16 A privacy policy tells Web site visitors about the Web site’s information collection and use practices. Privacy policies have risen in popularity recently as online privacy has become a hot topic. One bankruptcy and ecommerce attorney notes that the typical privacy policy does 5 things:
First, it gives customers notice of what data the website collects and how the company uses the data. Second, it gives the customer a choice to "opt-out" of certain data uses. For example, a customer might be allowed to ask that the company not e-mail promotional materials about new products. Third, the company gives the customer access to his information and the ability to update or correct personal information. Fourth, the privacy policy will describe what steps the company takes to keep the personal information secure. Fifth, the company provides a mechanism to allow customers to enforce the privacy policy. See Warren E. Agin, The Internet Bankruptcy: What Happens When the Bell Tolls for the eCommerce Industry?, 1 J. High Tech L. 1, 14 (2002).

17 This assertion is qualified in the sense that such a sale of consumer data should only be allowed to a successor in interest (a “successor in interest” is a third party who essentially steps into the shoes of the bankrupt company and assumes all the liabilities and promises with respect to the privacy policy of the bankrupt company; Black’s Law Dictionary 6th Edition in its definition of successor in interest states in relevant part: “In order to be a successor in interest, a party must continue to retain the same rights as [the] original owner without change in ownership and there must be change in form only and not in substance…”) in a similar line of business as the bankrupt company. Additionally, this is not to say that a company should be allowed to sell consumer data even to a successor in interest where irreparable harm would result to consumers. However, it is hard to conceive of many circumstances in which irreparable harm would result from such a qualified sale.

18 See Walter W. Miller, Jr. & Maureen A. O’Rourke, Bankruptcy Law v. Privacy Rights: Which Holds the Trump Card?, 38 Hous. L. Rev. 777, 780 (2001) (pointing out that the questions presented (whether or not a bankrupt company can sell consumer data) in the case remain unresolved); see also FTC v., LLC., 2000 WL 1523287 (involving a bankrupt dot-com that attempted to sell consumer data in violation of its privacy policy).

19 In re Toysmart, LLC, No. 00-13995-CJK (Bankr. D. Mass. filed June 9, 2000).

20 For example the Consumer Internet Privacy Enhancement Act. H.R. Res. 313, 106th Congress (1999) (requiring certain online companies to obtain affirmative consent before transferring personally identifiable information to third parties).

“Ecommerce” is short for electronic commerce and is defined as conducting business online (or over the internet). See’s definition of ecommerce at

22 The European Union (“E.U.”) is an international organization that represents the combined interests of its member states: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, and the United Kingdom.

23 Council Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data 1995 (O.J. 95/L281) [hereinafter “Directive”].

24 Memorandum on the Accession of the European Communities to the Convention for the Protection of Human Rights and Fundamental Freedoms, adopted by the Commission on April 4, 1979, Bulletin of the E.U., supp. 2/79.

25 Issuance of Safe Harbor Privacy Principles and Transmission to European Commission, 65 Fed. Reg. 45, 666 (Department of Commerce 2000).

26 Companies who wish to do business in Europe through the Internet must comply with Safe Harbor. Id.

27 Suggestions to not enact proposed legislation are also made. The treaty suggested is one between the United States and countries with which it does substantial international business.

29 Id.
30 Id. at 3 - 5.
31 Id. at 5.
32 Id. Note also that other consequences of bankruptcy, such as bankruptcy remaining on a debtor’s credit report for 10 years, make it difficult for a debtor to get a fresh start. Id. at 6.


34 CARRUTHERS & HALLIDAY, supra note 33 at 36, 37.

35 Id.

36 In bankruptcy law, the “estate” refers to the legal entity (not the debtor) that is created by the bankruptcy proceeding. The “trustee” (and the similar “Debtor-in-Possession”) is the administrator of the property of the estate. See HERBERT, supra note 28 at 19.

37 See 11 U.S.C. § 365.

38 In re Hardie, 100 B.R. 284 (Bankr. E.D.N.C. 1989); In re Norquist, 43 B.R. 224, 225 (Bankr. E.D. Wash. 1984).

39 CARRUTHERS & HALLIDAY, supra note 33 at 37.

40 Id.

41 See 11 U.S.C. § 365.

42 For example, as noted supra in Part II A i, competing interests include debtors versus creditors’ interests, and creditors versus other creditors’ interests.

John Rendleman, Customer Data Means Money, Information Week (August 20, 2001), at (noting that some companies spend up to 25 million dollars annually on consumer data).

44 Agin, supra note 16, at 14.

45 Id.

46 Id.

47 Although the collection and sale of consumer data in the absence of a privacy policy may raise similar issues, it is beyond the scope of this comment.

48 Privacy policies are discussed under both the Contract Law and Property Law sections of this comment below.

49 See Toibb v. Radloff, 501 U.S. 157, 163-164 (1991).

50 The Restatement Second of Contracts defines a contract as “a promise or a set of promises for the breach of which the law gives a remedy, or the performance of which the law in some way recognizes as a duty.” RESTATEMENT (SECOND) OF CONTRACTS, § 1. Note also that this typical situation could also be viewed as the formation of a unilateral contract. This is so because the dot-com could be seen as making a promise through its privacy policy, while the consumer accepts by performing (purchasing the goods or services). In any event, the formation of a contract has occurred. See 1-3 Corbin on Contracts § 3.9.

51 In other words, an offer to do business.


53 Id.

54 Id.

55 Id. at 64.

Jon Surmacz, Safety in Numbers, (Dec. 2001), at (surveying more than 2,000 adults and finding that only 3% say they read privacy policies carefully, and 64% say they do not read privacy policies at all or only glanced at them); Brian Sullivan, Is Everybody Sloppy About Privacy?, Computerworld (June 5, 2002), at,aid,101648,00.asp (finding, inter alia, that only 40% of consumers read privacy policies, and 82% of online customers would provide personal information for a $100 sweepstakes entry); see also B.J. Fogg, Et Al., How Do People evaluate a Web Site’s Credibility? Results from a Large Study, Consumer WebWatch (October 29, 2002), at (finding that people in evaluating a Web site’s credibility tended to focus on visual clues such as the aesthetics and design of the Web site rather than its privacy policy).


58 FARNSWORTH, supra note 52, at 85.

59 Id.

60 54 U.S.P.Q. 2d, 1344 (2000).

61 The license agreement included a provision stating that anyone going beyond the home page agrees to the terms and conditions set forth in the license agreement. Id.

62 Ticketmaster Corp., 54 U.S.P.Q. 2d, 1344 (2000). Note that many Web sites will force visitors to click on an “agree” button before purchasing a good or service, or before accessing the Web site generally.

63 Id.

64 Id. Thus a Web site visitor could access the Web site without ever knowing of the existence of the license agreement.

65 Id.

66 306 F.3d 17 (October 1, 2002).

67 Id, at 20.

68 See 11 U.S.C. § 365.

69 See Andrew B. Buxbaum & Louis A. Curcio, When You Can't Sell to Your Customers, Try Selling Your Customers (But Not Under the Bankruptcy Code), 8 Am. Bankr. Inst. L. Rev. 395, 402-403 (2000).

70 Vern Countryman, Executory Contracts in Bankruptcy: Part I, 57 Minn. L. Rev. 439, 460 (1973).

71 Id.

72 This analysis is not meant to address the less typical situation where the consumer has fully performed and the dot-com has gone bankrupt and cannot perform at all (i.e. it cannot perform its substantive end of the bargain). In such a case the consumer is one of the dot-com’s creditors and has a claim to the insolvent debtor’s assets (including value obtained from consumer data). See 11 U.S.C. §§ 101, 501 & 502.

73 See Buxbaum & Curcio, supra note 69, at 403.

74 See 11 U.S.C. § 365.

75 Id.

76 The court should allow the rejection of the privacy policy only insofar as it restricts the sale of the consumer data to the third party. The other terms of the privacy policy should remain intact and should apply to the successor in interest.

77 In effect, the successor in interest takes the place of the debtor and the consumer remains in the same position as before the sale.

78 Section 541 of the Bankruptcy Code defines the bankruptcy estate as including “all legal or equitable interests of the debtor in property as of the commencement of the case.” 11 U.S.C. § 541 (a)(1).

79 The information about consumers could of course be anything that the dot-com has asked for and received from the consumer; e.g. address, age, occupation, etc.

80 A Web form is simply any form used on the Internet. It is employed for the same purposes as hard copy forms, and generally consists of questions asking about various things regarding the Web site visitor.

81 Miller & O'Rourke, supra note 18, at 784.

82 This is the sort of information that can be collected with the use of cookies and/or Web bugs. See notes 6 and 7 for an explanation of Web bugs and cookies respectively.

For example, note the questionnaires that must be filled out before purchasing goods from online retailers such as, or participating in auctions on services related Web sites such as Ebay. See and respectively for examples.

84 I make this assertion based on experience and conversations with others who regularly purchase goods or services online.

Stephanie Dunnewind, The card game: As more grocery chains deal out discount cards, shoppers take sides: savings versus privacy, The Seattle Times Northwest Life, (May 22, 2002), at

86 Miller & O'Rourke, supra note 18, at 782.

87 Id.

88 Id. at 784.

89 See 63 AM. JUR. 2D Property 1, at 66-67 (1997).

90 See BLACK’S LAW DICTIONARY, (6th ed.).


92 D.F. Libling, The Concept of Property: Property in Intangibles, 94 L.Q. Rev. 103, 104 (1978).

93 See Dwyer v. Am. Export Co., 652 N.E. 2d 1351 (Ill. App. Ct 1995) (stating that a customer’s name has no value in and of itself, but becomes more valuable to companies as more and more names are added to the list and categorized in some meaningful way).

94 See, e.g., Avery Dennison Corp. V. Kitsonas 118 F. Supp. 2d 848, 854 (S.D. Ohio 2000); Heritage Benefit Consultants Inc. v. Cole, No. CV001622705, 2001 WL 237240, at 7 (Conn. Super. Ct. Feb. 23, 2001); Strata Mktg., Inc. v. Murphy, 740 N.E. 2d 1166, 1177 (Ill. App. Ct. 2000).

95 Uniform Trade Secrets Act 14 U.L.A. 437, et seq. (1985).

96 Uniform Trade Secrets Act 1 (amended 1985).

97 11 U.S.C. § 541.

98 Ackerman v. Kovac (In re All Am. Petroleum Corp.), 259 B.R. 6 (January 31, 2001) (treating customer lists as property); Phillips v. Diecast Marketing Innovations, L.L.C, 2000 Bankr. LEXIS 615 (February 28, 2000) (stating in relevant part “The debtor’s bankruptcy estate also includes customer lists…”).

99 See generally Domingo R. Tan, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union, 21 Loy. L.A. Int'l & Comp. L.J. 661, (1999). This is not to say the United States does not view privacy as an important right. See Griswold v. Connecticut, 381 U.S. 479 (1965) (finding a right to privacy).

See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at

1950, E.T.S. No. 5 (hereafter “ECHR”). The ECHR text is available at


103 Dec 10 1948, G.A. Resolution 217 (A)III 1948. UN Doc A 1810.

104 CAMERON & ERIKSSON, supra note 102, at 23. Article 12 of the UDHR provides, “No one shall be subjected to arbitrary interference with his privacy, family, home and correspondence, nor to attacks on his honor and reputation. Everyone has the right to the protection of law against such interference or attacks.”

105 EHCR art. 8.

106 The Commission is established by the ECHR to ensure the observance of the ECHR. See ECHR art. 19.

107 Id at art. 24.

108 Id. at art. 25.

109 Id.

110 Id.

111 Directive 95/46/EC.

112 Tan, supra note 99, at 676.

113 Directive 95/46/EC.

See Data Protection, at;

Directives are passed by the European Council to harmonize differing laws of member nations on a particular issue. If the law of a member nation conflicts with a directive, the provisions of the directive prevail. The EU developed the Directive "to avoid the complex [sic] and burden of having 15 different national privacy laws." The EU Data Protection Directive: Implications for the U.S. Privacy Debate: Hearing Before the Subcomm. on Commerce, Trade and Consumer Protection, House Comm. on Energy and Commerce, 107th Cong. 43 (2001) (testimony of David Aaron). Available at:

See Sarah H. Wright, Technology makes privacy harder to safeguard, panel notes, (November 1, 2000), at

117 Directive 95/46/EC, art. 6(1)(b).

118 Id. at art. 2(b).

119 Id. at art. 7(a)-(b).

120 Id. at art. 7(c) – (f).

121 Id. at art. 12.

122 Id.

123 Id. at art. 6.

124 Id.

125 Id.

126 Id.

127 Id.

128 Id. at arts. 25-26.

129 Id.

130 Id.

131 Id. at art. 26.

132 Id.

133 Id.

See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at

135 Note that even a recent democratic (democrats being traditionally known for being more likely to be hands-on politicians) President, Bill Clinton, would be considered a moderate interventionist at the most when concerning the Internet. See President William J. Clinton, White House Press Release (July 1, 1997) (arguing for a hands off governmental policy for cyberspace).

See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at

137 Griswold v. Connecticut, 381 U.S. 479 (1965). Specifically the First Amendment's provisions for freedom of expression and association, the Third Amendment's protection against quartering solders in one's home, the Fourth Amendment's protection against unreasonable searches and seizures, the Fifth Amendment's due process clause and freedom from self-incrimination, the Ninth and Tenth Amendments' freedom for people to retain power over state, and the Fourteenth Amendment's due process clause and equal protection clause have all been interpreted to create what has been described as a right to privacy – created out of the ‘penumbra’ of rights found in the constitution. GEOFFREY R. STONE ET AL., CONSTITUTIONAL LAW, 810 - 920 (4th ed. 2001).

138 Jonathan P. Cody, Protecting Privacy Over the Internet: Has the Time Come to Abandon Self-Regulation?, 48 Cath. U. L. Rev. 1183, 1197 (1999). This is not to say that European legislation does not balance the right to privacy with other societal interests, but that with respect to such European legislation the right to privacy tends to ‘weigh more’ when balanced against other interests. See Tan, supra note 99.

139 David A. Castor, Treading Water in the Data Privacy Age: An Analysis of Safe Harbor’s First Year, 12 Ind. Int'l & Comp. L. Rev. 265, 271 (2002).

140 Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (1999).

141 Id.

142 Id.

143 Id.

144 Id.

145 5 U.S.C. § 552 (2000).

146 Id.

147 Id.

148 Id.

149 For example, the Internal Revenue Service cannot disclose information on income tax returns.

150 20 U.S.C. § 1232 (1994).

151 Id.

152 A consumer’s video rental history could be collected online (via a Web site that enables the consumer to rent videos online) and the VPPA would apply to such information just as it would to the more traditional means of collecting a consumer’s video rental history by simply keeping track of it in a brick-and-mortar rental store. However, this remains a very narrow class of information. Id.

153 15 U.S.C. § 6501 et seq. (1998).

154 Id.

155 Id.

156 Id.

See Online Consumers Now the Average Consumer, CyberAtlas, at,,5901_800201,00.html.

158 Beth Safier, Between Big Brother and the Bottom Line: Privacy in Cyberspace, 5 Va. J.L. & Tech. 6, 27 at para 75 (2000).

159 Federal Trade Commission Act, 15 U.S.C. § 41.

160 Id.

161 15 U.S.C. § 45.

162 103 F.T.C. 110, 214.

Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency's First Internet Privacy Case: Commission Establishes Strong Mechanisms for Protecting Consumers' Privacy Online (Aug. 13, 1998), at

For a more complete description of GeoCities’ services, go to its Web site at

See Complaint, In re GeoCities, at

Agreement Containing Consent Order, In re GeoCities, at

167 Alan E. Littmann, The Technology Split in Customer List Interpretation, 69 U. Chi. L. Rev. 1901 (2002).

168 In re, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).

See First Amended Complaint for Permanent Injunction and Other Equitable Relief, at

170 Id.

171 Id.

See FTC Announces Settlement With Bankrupt Website,, Regarding Alleged Privacy Policy Violations, (July 21, 2000), at Note also that it was the collection of information from children under the age of 13 which led to the Federal Trade Commission’s (“FTC”) first action under the COPPA against Id.

See FTC Sues Failed Website,, for Deceptively Offering for Sale Personal Information of Website Visitors, (July 10, 2000), at

Trusted Universal Standards in Electronic Transactions ("TRUSTe") is a watchdog organization which seeks to build users' trust and confidence in the Internet. TRUSTe, at (stating in part “When you see the TRUSTe seal, you can be assured that you have full control over the uses of your personal information to protect your privacy”).

175 John M. Wingate, The New Economania: Consumer Privacy, Bankruptcy, and Venture Capital At Odds in the Internet Marketplace, 9 Geo. Mason L. Rev. 895, 911 (2001).

See FTC Sues Failed Website,, for Deceptively Offering for Sale Personal Information of Website Visitors, (July 10, 2000), at

FTC Announces Settlement With Bankrupt Website,, Regarding Alleged Privacy Policy Violations (July 21, 2000), at

178 Id.

179 Id.

180 Id.

181 A Qualified Buyer was defined as one that would agree to manage the information pursuant to's Privacy Policy, use the information only to complete orders and to individualize a consumer's shopping experience, and abide by other provisions of the settlement agreement. Id.

182 Id.

See Statement of Commissioner Mozelle W. Thompson,, Inc, at

184 In re, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).

185 See Stephanie Stoughton, List to Be Destroyed, Boston Globe, Jan. 30, 2001, at D7, available at 2001 WL 3916848.

186 See PROSSER & KEETON, HANDBOOK ON THE LAW OF TORTS, CH. 20 (5TH ED. 1984) (discussing the four common law torts of invasion of privacy).

187 Christopher F. Carlton, The Right To Privacy In Internet Commerce: A Call For New Federal Guidelines And The Creation Of An Independent Privacy Commission, 16 St. John’s J.L. Comm. 393, 422 (2002).

188 Id.

189 Id.

See The U.S. Department of Commerce Safe Harbor Workbook, United States Department of Commerce Web site, at

See Self-Regulation and Privacy Online, (July 13,1999), at

See TRUSTe Seal Programs, at

TRUSTe’s “privacy seal” or “trustmark” is a graphic that “signifies to online users that the Web site will openly share, at a minimum, what personal information is being gathered, how it will be used, with whom it will be shared, and whether the user has an option to control its dissemination.” See Frequently Asked Questions, at

See TRUSTe Seal Programs, at

See Junk Busters, at; BBBOnline, at; Electronic Privacy Information Center, at

See Privacy Organizations Reviewed, at

See Mission Statement, at

Federal Trade Commission, Privacy Online: Fair Information Practices In The Electronic Marketplace, A Report To Congress (2002), at

The demand, in this case, is for an adequate level of privacy. Note that there is an ever increasing number of companies that provide consumer privacy products online. Just a few examples include: (at, which provides anonymous Internet surfing, Tropical Software (at, which provides password protection and encryption services, and (, which provides encrypted email.

200 Robert R. Schriver, You Cheated, You Lied: The Safe Harbor Agreement and Its Enforcement by the Federal Trade Commission, 70 Fordham L. Rev. 2777, 2787-2788 (2002).

201 Id.

202 Id.

U.S. Department of Commerce, Safe Harbor Privacy Principles (2000), at

204 Id.

205 Id.

206 Id.

207 Id.

208 Id.

209 Id.

210 Id.

See Rebecca Sykes & Elizabeth de Bony, E.U.-U.S. privacy deal rotten, observers say, InfoWorld (2000), at

See U.S. Department of Commerce, Safe Harbor Enforcement Overview (2000), at

213 See 11 U.S.C. § 365 (allowing the rejection of executory contracts).

214 Id.

215 Id.

216 In re, LLC, No. 00-13995-CJK, (Bankr. D. Mass. 2000).

Note that the trend is moving in this direction, that is, the direction of dot-coms warning Web site visitors that their information may be sold. For example, explicitly states in its privacy policy that it shares consumer information (non-identifiable) with advertisers;, in its privacy policy, notifies Web site visitors that in the event is acquired by another entity, consumer information will be one of the assets transferred to that entity. eBay Privacy Policy, at; Privacy Notice, at

218 A treaty between the United States and nations with which United States companies do most of their international business would obviously be the most beneficial (e.g. Canada, Mexico, Japan, E.U. member nations, etc.).

See Federal Trade Commission, FTC Announces Settlement With Bankrupt Website,, Regarding Alleged Privacy Policy Violations (2000), at

220 This enabling of targeted marketing also prevents waste in that marketing dollars can be spent targeting consumers who are more likely to be interested in the company’s products or services.

221 See Wingate, supra note 175, at 926.

222 It is hard to imagine many damages, if any, flowing from the sale of consumer information to a successor-in-interest that abides by all other promises in the original privacy policy.


The above discussion is intended to be a general commentary on legal issues. Each situation is different and this article is not intended as legal advice. Further, nothing in this article is intended to create an attorney-client relationship.

Disclaimer | Attorney Advertising | Privacy Policy | Sitemap
©2009-2023 Watts Law Offices, P.C.